Blog

Digital Intermediaries Responsibility for Unknown CASL Violations

December 11, 2018

Written by Martin P.J. Kratz

Canada’s Anti-spam law (CASL) is ambiguous and very onerous to comply with. The parliamentary INDU Committee, that studied the law, made numerous recommendations in order to provide needed clarity to the law. In December 2017, their report stated “The Act and its regulations require clarifications to reduce the cost of compliance and better focus enforcement.” The government has responded confirming they intended to act on the recommendations.

Rather than contribute to greater certainty many have suggested that this guideline creates further uncertainty for those seeking to comply with CASL about the scope of conduct by an intermediary that would give rise to liability.

One should recall that CASL is much more than a law directed at unwanted commercial emails (the traditional meaning of spam). Rather, it prohibits sending, causing, or permitting to be sent, commercial electronic messages without express or implied consent (section 6), it prohibits altering, or causing to be altered, transmission data in electronic messages, in the course of a commercial activity without express consent (section 7) and prohibits installing, or causing to be installed, a computer program on another person’s computer in the course of a commercial activity without express consent; or having so installed or caused to be installed a computer program, cause an electronic message to be sent (section 8). The type of consents under CASL are not principle-based, but are narrow and prescriptive. The encompassing language used in CASL provides that the prohibitions apply to a wide range of activity.

Liability arises under CASL from direct actions that contravene the broad prohibitions. Liability also arises under section 9 of CASL that prohibits anyone to “aid, induce, procure or cause to be procured” the doing of any act contrary to any of sections 6 to 8.

There are many cases where several parties are involved in conduct that may engage CASL. The CRTC guidelines identify the following examples: “advertising brokers, electronic marketers, software and application developers, software and application distributors, telecommunication and internet services providers and payment processing system operators.”

From a plain reading of the terms “aid, induce, procure or cause to be procured” require some positive action by the intermediary service provider in order to engage the section 9 prohibition.

The CRTC advises that they look at a number of factors that such intermediaries play in a possible section 9 violation. Those factors include the level of control the service provider has over the conduct that violates CASL, the degree of connection between the service provider’s action and the conduct that violates CASL and evidence that the service provider took reasonable steps to prevent violations from occurring.

Due diligence is a defense to prosecution under CASL. The CRTC guidelines provide examples of potential violations of CASL and recommended steps for intermediaries to mitigate risk (including due diligence measures). However, the CRTC guidelines speak to extensive proactive steps they encourage an intermediary to do as part of a robust compliance program, including auditing how existing customers use a service and taking very substantial steps to identify the identity of customers, including obtaining company name and address, previous or current aliases, length of time in operation, primary corporate directors, other relevant stakeholders and, where appropriate, to obtain incorporation records, government-issued identification, or tax records. This seems to be an extensive range of conduct that intermediaries are cautioned to do including obtaining substantial likely confidential information from its customers.

The CRTC takes the position that awareness of violations by a customer is only a factor when assessing section 9 violations by an intermediary. Indeed, the CRTC indicate that awareness of another’s violations of CASL is not necessary for the intermediary to be found liable. If so, then the CRTC seem to be interpreting that neither intent nor any knowledge of the violations of another is required in order to “aid, induce, procure or cause to be procured” the violation of the other. It seems sufficient for intermediary liability to arise to merely be providing the enabling tools or services that are misused by others.

Given that it is acknowledged that CASL lacks clarity and provides for fines up to $10,000,000 for each violation, the business community has reacted quickly to what has been presented.

On December 10, 2018, a coalition of 14 business organizations, representing a very large group of Canadian business, have sent an open letter to the chair and CEO of the CRTC expressing concern that the “Bulletin suggests that a broad range of intermediaries could be liable under section 9 for violations of CASL by third parties simply by providing the services or facilities used by such third parties to contravene CASL, or by providing technical assistance or advice, even if the intermediary did not intend to assist in a contravention of CASL or was unaware that its activities enabled or facilitated contraventions of CASL by the third party.”

The business coalition express concern “that virtually any organization engaging in electronic commerce, or providing a web-based service, may be liable for the CASL violations of third parties, with no actual or constructive knowledge that third parties were using that organization’s products, platform, software, tools or services” and that such a position places an undue due diligence requirement on all such intermediaries. The business coalition seeks to meet with the chair and CEO of the CRTC to discuss how the guidelines will be applied.

In the meantime, businesses engaged in legitimate electronic commerce in Canada should consider how the CRTC guidelines might impact their operations. All should hope for the promised and urgently required reforms to CASL.